Digital Banking and Consumer Protection in India

Introduction

In the last few years, there have been some drastic changes in the Indian banking sector owing to increased use of smartphones, growth in the use of the Unified Payment Interface (UPI), and financial inclusion through initiatives such as Jan Dhan Yojana. Digital banking, which refers to internet banking, mobile banking, payment wallets, and neo-banking, has led to a fundamental shift in the way Indians access their banking facilities.[1] While on one hand, this trend has made things much easier for consumers, on the other hand, it has exposed them to many other dangers as well. The regulatory and judicial response to these challenges has been incremental, often reactive, and shaped by a patchwork of statutes, circulars, and guidelines rather than a single comprehensive code. This article examines the existing legal framework governing digital banking in India, identifies the persistent gaps in consumer protection, and considers the trajectory of reform required to align the sector with global best practices.

The Regulatory Architecture

The Reserve Bank of India occupies the central position in regulating digital banking, exercising authority under the Banking Regulation Act, 1949, and the Payment and Settlement Systems Act, 2007.[2] Over the years, the RBI has issued a series of master directions and circulars specifically addressing digital lending, mobile banking, and customer liability in cases of unauthorized electronic transactions. The 2017 circular on customer protection limiting liability for unauthorized transactions was a landmark step, introducing a tiered liability framework that shields customers from loss where the fault lies with the bank’s systems, while imposing limited liability where the customer has been negligent, such as sharing One Time Passwords or login credentials.[3]

The RBI’s Digital Lending Guidelines of 2022 further sought to curb predatory practices among digital lending applications, mandating direct disbursal and repayment between regulated entities and borrowers without pass-through accounts of intermediaries, and requiring upfront disclosure of the annual percentage rate.[4] These guidelines emerged in direct response to widespread reports of coercive recovery practices and data misuse by unregulated lending applications, illustrating the reactive character of much of India’s digital banking regulation.

Beyond the RBI, the Information Technology Act, 2000, and its associated rules govern aspects of cybersecurity, data breaches, and electronic contracts[5], while the Digital Personal Data Protection Act, 2023, introduces a dedicated framework for the processing of personal data, including financial data collected by banks and fintech entities.[6] The Consumer Protection Act, 2019, with its provisions on unfair trade practices and e-commerce, also extends, at least in principle, to digital financial services, although its application to complex banking disputes remains underdeveloped.[7]

Gaps in the Existing Framework

Despite this layered architecture, several structural deficiencies persist. First, the burden of proving negligence in cases of unauthorized transactions frequently falls, in practice, on the consumer, notwithstanding the RBI’s circular placing the onus on banks to establish the absence of system deficiency. Banking ombudsman data has repeatedly shown that complaints relating to ATM and online frauds form one of the largest categories of grievances, suggesting that the protective intent of the 2017 circular has not been uniformly translated into outcomes favourable to consumers.[8]

Second, the proliferation of unregulated digital lending applications, many operating outside the RBI’s direct oversight through complex corporate structures involving non-banking financial companies as a façade, has exposed vulnerable borrowers to exploitative interest rates and aggressive recovery tactics, including harassment through unauthorized access to contact lists and photographs stored on borrowers’ devices.[9] While the 2022 guidelines have curtailed some of these practices, enforcement against entities operating through offshore servers or shell arrangements remains a persistent challenge.

Third, the grievance redress mechanism, though formally robust through the Reserve Bank Integrated Ombudsman Scheme, 2021, suffers from accessibility constraints.[10] Consumers in rural and semi-urban areas, who form a significant proportion of new digital banking users under financial inclusion drives, often lack the digital literacy required to navigate online complaint portals, creating an inadvertent exclusionary effect.

Fourth, the interplay between the Digital Personal Data Protection Act, 2023, and sector-specific banking regulations remains unsettled. Banks and fintech intermediaries collect vast troves of behavioural and transactional data for credit scoring and risk assessment, often through algorithmic models whose decision-making processes lack transparency. The Act’s provisions on consent and purpose limitation, while welcome, do not yet have well-developed sectoral guidance for financial data processing, leaving open questions about the extent of algorithmic accountability owed to consumers denied credit or subjected to differential pricing.[11]

Consumer Protection in Practice

The judiciary has, on occasion, stepped in to fill gaps left by regulatory ambiguity. Consumer fora across the country have adjudicated disputes involving unauthorized debit card transactions, frequently ruling in favour of consumers where banks failed to demonstrate adequate security protocols or timely fraud alerts.[12] However, the absence of a unified appellate mechanism specifically for digital banking disputes means that outcomes can vary considerably depending on the forum and jurisdiction, leading to inconsistent jurisprudence on issues such as the standard of care expected of banks in detecting anomalous transaction patterns.

The introduction of the Account Aggregator framework, designed to enable consent-based sharing of financial data across institutions, represents a promising development insofar as it formalizes the principle of data portability and consumer control.[13] Yet its success depends heavily on the robustness of the underlying technical infrastructure and the digital literacy of end users, both of which remain works in progress.

The Way Forward

A more coherent consumer protection regime for digital banking in India would benefit from several reforms. Strengthening the enforcement mechanism against unregulated digital lending entities, including closer coordination between the RBI, the Ministry of Electronics and Information Technology, and law enforcement agencies, would help close the regulatory gap exploited by predatory lenders. Mandating algorithmic transparency obligations specific to credit decisioning, requiring financial institutions to disclose, at a basic level, the factors influencing adverse credit decisions, would enhance accountability without compromising proprietary interests.

Expanding digital literacy initiatives, particularly targeted at first-time digital banking users in rural areas, would address the accessibility gap in existing grievance redress mechanisms. Moreover, alignment of the Digital Personal Data Protection Act with banking-specific guidelines by RBI can offer great clarity regarding the rules governing the processing of digital personal data in the banking sector.[14]

Conclusion

Digital banking services have brought considerable improvements in terms of financial inclusion and convenience for the Indian customer, although the legislation that governs such services still lags behind technological developments. The existing architecture, comprising RBI circulars, the Consumer Protection Act, the Information Technology Act, and the newly enacted Digital Personal Data Protection Act, offers meaningful but fragmented protection. A more integrated and proactively enforced regulatory approach, one that anticipates emerging risks rather than merely responding to them after consumer harm has already materialized, is essential if India’s digital banking revolution is to be matched by an equally robust commitment to consumer protection.

References

[1] Reserve Bank of India, Report on Trend and Progress of Banking in India 2022–23, at 45–52 (2023).

[2] The Banking Regulation Act, 1949, No. 10, Acts of Parliament, 1949 (India); The Payment and Settlement Systems Act, 2007, No. 51, Acts of Parliament, 2007 (India).

[3] Reserve Bank of India, Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Banking Transactions, RBI/2017-18/15 (July 6, 2017).

[4] Reserve Bank of India, Guidelines on Digital Lending, RBI/2022-23/111 (Sept. 2, 2022).

[5] The Information Technology Act, 2000, No. 21, Acts of Parliament, 2000 (India).

[6] The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India).

[7] The Consumer Protection Act, 2019, No. 35, Acts of Parliament, 2019, § 2(47) (India).

[8] Reserve Bank of India, Annual Report of the Ombudsman Schemes 2022-23, at 18–24 (2023).

[9] Working Group on Digital Lending, Report of the Working Group on Digital Lending including Lending through Online Platforms and Mobile Apps, at 12–19 (Reserve Bank of India, Nov. 18, 2021).

[10] Reserve Bank of India, Reserve Bank — Integrated Ombudsman Scheme, 2021, RBI/2021-22/121 (Nov. 12, 2021).

[11] The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023, § 4 (India).

[12] HDFC Bank Ltd. v. Jesna Jose, Revision Petition No. 3333 of 2013 (NCDRC Dec. 21, 2020) (India).

[13] Reserve Bank of India, Master Direction — Non-Banking Financial Company — Account Aggregator (Reserve Bank) Directions, 2016, RBI/DNBR/2016-17/46 (Sept. 2, 2016).

[14] Justice B.N. Srikrishna Comm., A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians, at 87–94 (Ministry of Elecs. & Info. Tech. 2018).